Locker Ransomware Utilizes a Unique Delivery Mechanism

The cyber security expert Michael Fratello has made a detailed analysis of the locker ransomware that implements a unique delivery mechanism

On May 25th, 2015, a wave of reports came flooding in from users around the globe, claiming that their computers have become compromised. Messages from users looking for help began appearing on forums such as Bleeping Computer, where screenshots and further information regarding the incident came to light.

It became clear that these users had become infected with a new variant of ransomware whose name, derived from the window that opens on the infected device, has been dubbed the “Locker” ransomware by Lawrence Abrams of Bleeping Computer.

The delivery mechanism of this new ransomware variant is quite interesting. Not only did this variant utilize a chain of various services and executables to reach its final stage, but it appears that the Trojan Downloader that retrieve the ransomware payload did so in a fashion that can be described as quite similar to a “logic bomb”. At midnight on the 25 ransomware variant is quite interesting.

Where did this Trojan Downloader come from? This question has been answered to some extent, but speculation remains as to whether additional infection vectors exist, or if the downloader is being spread by additional malicious software. However, one infection vector has become known: a cracked copy of Minecraft; specifically, the cracked “Team Extreme” version of Minecraft.downloader is being spread by additional malicious software.

The Locker Ransomware

Like the various other ransomware variants that we have observed in-the-wild, Locker will enumerate the targeted device’s local file system, searching for specific file extensions of files to encrypt. After enumerating the file system and performing its encryption activities, leveraging AES encryption, Locker opened a window containing a ransom note and information regarding the infection.

This window explains what occurred to the file system and provides payment information and demands an initial ransom of .1 bitcoins.

The ransomware variants that we have observed in-the-wild, Locker will enumerate the targeted device’s local file system, searching for specific file extensions of files to encrypt.

Locker affects all versions of Windows; this includes Windows XP, Windows 7, and Windows 8. The Trojan Downloader that delivers Locker is installed as a Windows service with a random file name; the executable file that installs the downloader resides in the downloader resides in the downloader resides in the downloader resides in the C:\Windows\SysWOW64 directory of the affected file system.

Additionally, another service was installed in the following directory: C:\ProgramData\Steg\ with a file name of Steg.exe. When executed, this service creates a folder under C:\ProgramData\ named Tor. Furthermore, after the creation of the Tor folder, yet another service was installed, titled “LDR”. Its associated executable resides within C:\ProgramData\rkcl\ as ldr.exe.

This service, whose name can be interpreted as “LOADER”, then installed and launched an executable within the same directory (C:\ProgramData\rkcl), saved as rkcl.ee. This program is the primary executable responsible for Locker’s ransomware activities.

Affected Files

Locker will enumerate the local file system, search all drives mounted with a letter, to discover supported data files that it will compromise. Targeted files are discovered via Locker searching the local file system for all files with supported extensions. However, this search is performed using a case-sensitive search; lower-case file extensions (i.e. .doc) would be affected, however, upper-case file extensions (i.e. DOC) would not be affected.

Recovery

Locker’s detrimental activities do not cease upon completion of file system enumeration and encryption. Upon completion of the encryption activities, Locker will attempt to delete all Volume Shadow Copies (VSCs) found within the targeted file system.

This prevents the victim from using System Restore or the “Previous Versions” tab found within the properties menu of a file to restore the affected file to its previous state. The command issued by Locker to delete all Volume Shadow Copies is:

vssadmin.exe delete shadows /for=C: /all /quiet

Evasion Techniques

Locker performs several techniques to evade analysis. Like many of the new, sophisticated ransomware variants found in-the-wild today, Locker will search for and terminate itself if it is found to be running within a virtual machine (i.e. VMware, Virtual Box).

Additionally, it will terminate itself if it detects and of the following processes running, many of which are used by malware analysts:

Locker initially demands a ransom of .1 bitcoins to an assigned bitcoin address. After 72 hours of non-payment, this ransom amount increases to 1 bitcoin. While running, Locker will make requests to blockchain.info to verify whether or not the victim has submitted a payment.

When queried, if blockchain.info returns data indicative that a full payment has been made, Locker will perform a second check against its C2 (command-and-control) server.

Locker’s command-and-control server is located at jmslfo4unv4qqdk3.onion.

If both requests return that a proper payment has been submitted, Locker will automatically download a file named priv.key, which it stores within the C:\ProgramData\rkcl folder on the targeted device. This file, as can be inferred by its name, contains the private key that Locker will then use to decrypt all affected files.

The automated process of decryption rather than requiring the user to download an additional decryption utility is unique to this ransomware variant.

Additional Dropped Files

Additionally, a series of data files can be found dropped within the local file system of the affected device. The following files are dropped during the installation process of the Locker ransomware:ransomware:

data.aa0 This file contains a list of the encrypted files
data.aa1 This file’s purpose is currently unknown
data.aa6 This file contains the victim’s unique bitcoin address
data.aa7 This file contains an RSA key; however, this is not the decryption key
data.aa8 This file contains a [random] version number for the Locker GUI
data.aa9 This file contains the date that Locker became active
data.aa11 This file’s purpose is currently unknown
data.aa12 This file’s purpose is currently unknown
priv.key This file contains the victim’s unique decryption key
This file is only downloaded after full payment is made and verified

More Unique Characteristics

While Locker’s delivery and decryption mechanisms are unique in themselves, activity and files that were found in affected file systems reveal more information. If an affected victim finds the following directory on their local file system reveal more information. If an affected victim finds the following directory on their local file system:

If an affected victim finds the following directory on their local file system reveal more information. If an affected victim finds the following directory on their local file system:

C:\ProgramData\Digger

This indicates that the victim’s device was being used as a bitcoin miner by the attacker prior to the Locker ransomware becoming active. The affected devices have potentially been affected and involved in nefarious activity for an unknown period of time, often for months prior to the ransomware becoming active.

Associated Locker Files, Trojan Downloader File Hashes

At the time, as previously stated, Locker is only known to have been spread via a cracked version of Minecraft; reportedly the “Team Extreme” version of the cracked software. There are two (2) known Trojan Downloader executable files that have been analyzed and confirmed as malicious at this time. They are:

It provides mechanisms for admission control, run time monitoring and enforcement, application feedback, and traffic prioritization.KLM\SYSTEM\CurrentControlSet\services\\DelayedAutostart

Locker Screenshots

Locker GUI Informational Tab / Initially Presented Ransom Information

Locker GUI Payment Information Tab

Locker Sample Timeline

Below details a timeline of the associated services and the overall progression of the Locker ransomware and its Trojan Downloader’s activities.

This timeline was constructed after analysis of a device that was newly-purchased and configured on the 19 May of this year, 2015, but unfortunately was also a victim of the Locker ransomware. The affected user also installed the cracked version of the “Team Extreme” Minecraft.

Special thanks to the team at BleepingComputer.com for the fast analysis and contribution of information regarding this infection; specifically, Lawrence Abrams and Nathan Scott. Additionally, granular analysis and detailed information were largely contributed by: Fabian Wosar of Emsisoft and Mark and Erik Loman of SurfRight.

Prevention Methods

Host-Based Intrusion Prevention Software (HIPS) such as McAfee HIPS, HitmanPro: Alert, and other anti-exploit software. Additionally, the configuration and creation of Windows’ native Software Restriction Policies can aid in the prevention of future infections carried out in a similar manner.

Tools such as CryptoPrevent by FoolishIT LLC (free and enterprise versions are both available) have also been created for the specific purpose of preventing ransomware from successfully infecting your device.

Michael Fratello is a Security Engineer employed by CipherTechs, Inc., a privately held information security services provider located in downtown Manhattan, New York. Specializing in Penetration Testing and Digital Forensics, Michael, a St. John’s University graduate majoring in Computer Security Systems, has developed a passion for information security and often spends his free time studying, programming, and researching the exponentially growing number of threats found in-the-wild today.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.